[gpfsug-discuss] SMB and AD authentication

Mark.Bush at siriuscom.com Mark.Bush at siriuscom.com
Mon Feb 27 20:12:23 GMT 2017


That was it.  I just didn’t have the ScaleUsers group (special AD group I created) set as AD user Sirius\mark.bush’s primary group.  Once I did that bam…shares show up and I can view and id works too.

Thanks Christof.

On 2/27/17, 1:59 PM, "gpfsug-discuss-bounces at spectrumscale.org on behalf of Christof Schmitt" <gpfsug-discuss-bounces at spectrumscale.org on behalf of christof.schmitt at us.ibm.com> wrote:

    --unixmap-domains 'sirius(10000-20000)'

    specifies that for the domain SIRIUS, all uid and gids are stored as
    rfc2307 attributes in the user and group objects in AD. If "id
    Sirius\\administrator" does not work, that might already point to missing
    data in AD. The requirement is that the user has a uidNumber defined, and
    the user's primary group in AD has to have a gidNumber defined. Note that
    a gidNumber defined for the user is not read by Spectrum Scale at this
    point. All uidNumber and gidNumber attributes have to fall in the defined
    range (10000-20000).

    If verifying the above points does not help, then a winbindd trace might
    help to point to the missing step:

    /usr/lpp/mmfs/bin/smbcontrol winbindd debug 10

    id Sirius\\administrator

    /usr/lpp/mmfs/bin/smbcontrol winbindd debug 1

    /var/adm/ras/log.winbindd-idmap is the log file for the idmap queries; it
    might show a failing ldap query in this case.

    Regards,

    Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
    christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)



    From:   "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
    To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
    Date:   02/27/2017 12:41 PM
    Subject:        [gpfsug-discuss] SMB and AD authentication
    Sent by:        gpfsug-discuss-bounces at spectrumscale.org



    For some reason, I just can’t seem to get this to work.  I have configured
    my protocol nodes to authenticate to AD using the following

    mmuserauth service create --type ad --data-access-method file --servers
    192.168.88.3 --user-name administrator --netbios-name scale --idmap-role
    master --password ********* --idmap-range-size 1000000 --idmap-range
    10000000-299999999 --enable-nfs-kerberos --unixmap-domains
    'sirius(10000-20000)'


    All goes well, I see the nodes in AD and all of the wbinfo commands show
    good (id Sirius\\administrator doesn’t work though), but when I try to
    mount an SMB share (after doing all the necessary mmsmb export stuff) I
    get permission denied.  I’m curious if I missed a step (followed the docs
    pretty much to the letter).  I’m trying Administrator, mark.bush, and a
    dummy aduser I created.  None seem to gain access to the share.

    Protocol gurus help!  Any ideas are appreciated.



    Mark R. Bush| Storage Architect
    Mobile: 210-237-8415
    Twitter: @bushmr | LinkedIn: /markreedbush
    10100 Reunion Place, Suite 500, San Antonio, TX 78216
    www.siriuscom.com |mark.bush at siriuscom.com

    This message (including any attachments) is intended only for the use of
    the individual or entity to which it is addressed and may contain
    information that is non-public, proprietary, privileged, confidential, and
    exempt from disclosure under applicable law. If you are not the intended
    recipient, you are hereby notified that any use, dissemination,
    distribution, or copying of this communication is strictly prohibited.
    This message may be viewed by parties at Sirius Computer Solutions other
    than those named in the message header. This message does not contain an
    official representation of Sirius Computer Solutions. If you have received
    this communication in error, notify Sirius Computer Solutions immediately
    and (i) destroy this message if a facsimile or (ii) delete this message
    immediately if this is an electronic communication. Thank you.
    Sirius Computer Solutions _______________________________________________
    gpfsug-discuss mailing list
    gpfsug-discuss at spectrumscale.org
    http://gpfsug.org/mailman/listinfo/gpfsug-discuss




    _______________________________________________
    gpfsug-discuss mailing list
    gpfsug-discuss at spectrumscale.org
    http://gpfsug.org/mailman/listinfo/gpfsug-discuss


This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. This message may be viewed by parties at Sirius Computer Solutions other than those named in the message header. This message does not contain an official representation of Sirius Computer Solutions. If you have received this communication in error, notify Sirius Computer Solutions immediately and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

Sirius Computer Solutions<http://www.siriuscom.com>


More information about the gpfsug-discuss mailing list